by Sugar, David

[permalink] [raw]

Subject: [refpolicy] Refpolicy and gdm/gnome?

> -----Original Message-----
> From: refpolicy-bounces at oss.tresys.com [mailto:refpolicy-
> bounces at oss.tresys.com] On Behalf Of Dominick Grift via refpolicy
> Sent: Friday, November 10, 2017 10:27 AM
> To: refpolicy at oss.tresys.com
> Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
>
> On Fri, Nov 10, 2017 at 03:04:56PM +0000, David Sugar via refpolicy
> wrote:
> > I'm slowly working my way through this stuff. For the transitions for
> wm_exec_t and dbusd_exec_t I used the wm_role_template and
> dbus_role_template which deal with the transitions but lead to other
> denials (due to the newly created types).
> >
> > One of the issues with files not being labeled properly is
> /run/user/<userid> which is created by systemd-logind. systemd-logind
> is mounting a tmpfs for each user as they login (and removing at
> logout). But this is getting the type tmpfs_t rather than
> user_runtime_t (thus the complaint about running restorecon). Anyway,
> the following seems to work, but is this the correct way? Is there
> something else that controls the label of this mount point?
>
> If i recall correctly Nicolas Iooss indicated that he fixed that logind
> labeling issue in systemd (i might be wrong and/or you might still be
> using a systemd/logind without that fix), but to effectively use this
> you still probably want to use the %{USERID} libsemanage functionality
> to specify contexts for user runtime dirs and that might also not be
> available
>
> Example:
> /run/user/%{USERID} -d system_u:object_r:user_runtime_t:s0
>
> Point is that logind should create these user runtime dirs with the
> context that is generated by genhomedircon for that particular users
> runtime dir i believe.

You have a good memory. I looked through the systemd git repo and indeed Nicolas Iooss made a change that claims to fix this problem (in February 2016). It appears to be in systemd v229. Unfortunately RHEL/CentOS is still distributing systemd v219 and even though they are back porting some patches this doesn't appear to be one of them (though I have not actually reviewed the source, just the changelog).

> > I will submit this as a formal patch. I'm sure the name of the new
> interface 'userdom_user_run_filetrans_user_runtime' needs to be changed.
> I'm open to suggestions of what might be correct.
> >
> > The complaint I'm getting is this:
> > !!!! The file '/run/user/42' is mislabeled on your system.
> > !!!! Fix with $ restorecon -R -v /run/user/42 allow systemd_logind_t
> > user_runtime_root_t:dir mounton;
> >
> > The patch to resolve is this:
> > ---
> > policy/modules/system/systemd.te | 1 +
> > policy/modules/system/userdomain.if | 30
> > ++++++++++++++++++++++++++++++
> > 2 files changed, 31 insertions(+)
> >
> > diff --git a/policy/modules/system/systemd.te
> > b/policy/modules/system/systemd.te
> > index 2d0393a3..1498ca32 100644
> > --- a/policy/modules/system/systemd.te
> > +++ b/policy/modules/system/systemd.te
> > @@ -448,6 +448,7 @@
> > userdom_relabelfrom_user_runtime_dirs(systemd_logind_t)
> > userdom_relabelto_user_runtime_dirs(systemd_logind_t)
> > userdom_setattr_user_ttys(systemd_logind_t)
> > userdom_delete_user_runtime_files(systemd_logind_t)
> > +userdom_user_run_filetrans_user_runtime(systemd_logind_t, dir)
> > userdom_use_user_ttys(systemd_logind_t)
> >
> > optional_policy(`
> > diff --git a/policy/modules/system/userdomain.if
> > b/policy/modules/system/userdomain.if
> > index 49eff3a6..e5fa98fa 100644
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -3231,6 +3231,36 @@
> > interface(`userdom_user_runtime_root_filetrans_user_runtime',`
> >
> > ########################################
> > ## <summary>
> > +## Create objects in the user runtime root
> > +## directory with an automatic type transition
> > +## to the user runtime dir type.
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +## <param name="object_class">
> > +## <summary>
> > +## The class of the object to be created.
> > +## </summary>
> > +## </param>
> > +## <param name="name" optional="true">
> > +## <summary>
> > +## The name of the object being created.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`userdom_user_run_filetrans_user_runtime',`
> > + gen_require(`
> > + type user_runtime_t;
> > + ')
> > +
> > + fs_tmpfs_filetrans($1, user_runtime_t, $2, $3)
> > +')
> > +
> > +########################################
> > +## <summary>
> > ## Read and write user tmpfs files.
> > ## </summary>
> > ## <param name="domain">
> > --
> > 2.13.6
> >
> >
> > ________________________________________
> > From: refpolicy-bounces at oss.tresys.com
> > <[email protected]> on behalf of Guido Trentalancia via
> > refpolicy <[email protected]>
> > Sent: Wednesday, November 8, 2017 3:33:52 PM
> > To: refpolicy at oss.tresys.com
> > Subject: Re: [refpolicy] Refpolicy and gdm/gnome?
> >
> > In order of importance (and, to some degree, decreasing safety), the
> permissions are probably as follows:
> >
> > #============= init_t ==============
> > allow init_t xdm_t:dbus send_msg;
> >
> > #============= initrc_t ============== allow initrc_t xdm_t:dbus
> > send_msg; allow initrc_t xdm_t:process getsched;
> >
> > plus the systemd ones, plus the following ones:
> >
> > #============= xdm_t ==============
> > allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> > allow xdm_t wm_exec_t:file { execute execute_no_trans getattr open
> > read }; allow xdm_t xkb_var_lib_t:dir search; allow xdm_t
> > xkb_var_lib_t:file { getattr open read }; allow xdm_t init_t:dbus
> > send_msg; allow xdm_t init_t:system status; allow xdm_t initrc_t:dbus
> > send_msg;
> >
> > allow xdm_t self:process setcap;
> > allow xdm_t sound_device_t:chr_file { ioctl open read write };
> >
> > allow xdm_t systemd_locale_t:dbus send_msg; allow xdm_t
> > systemd_logind_var_run_t:dir read; allow xdm_t
> > systemd_logind_var_run_t:fifo_file write; allow xdm_t
> > systemd_machined_var_run_t:dir read; allow xdm_t
> > systemd_sessions_var_run_t:dir { open read }; allow xdm_t
> > systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
> > udev_var_run_t:file { getattr open read };
> >
> > #============= xserver_t ============== allow xserver_t xdm_t:file {
> > open read }; allow xserver_t xdm_t:lnk_file read;
> >
> > Then, at the second position, we probably have:
> >
> > #============= xdm_t ==============
> > allow xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
> > self:netlink_kobject_uevent_socket { bind create getattr read setopt
> > }; allow xdm_t self:netlink_selinux_socket { bind create };
> >
> > Then, at the third position:
> >
> > #============= colord_t ============== allow colord_t
> > systemd_sessions_var_run_t:file { getattr open read }; allow colord_t
> > xdm_t:dir search; allow colord_t xdm_t:file { getattr open read };
> >
> > #============= xdm_t ==============
> > allow xdm_t sysctl_vm_overcommit_t:file { open read }; allow xdm_t
> > sysctl_vm_t:dir search;
> >
> > At the fourth position, we probably have the following permissions (if
> it hasn't started yet):
> >
> > #============= xdm_t ==============
> > allow xdm_t sysctl_crypto_t:dir search; allow xdm_t
> > sysctl_crypto_t:file { getattr open read };
> >
> > At the fifth position, we probably have (increasingly dangerous):
> >
> > #============= xdm_t ==============
> > allow xdm_t staff_t:key { link search write };
> >
> > #============= xserver_t ============== allow xserver_t
> > self:capability sys_ptrace; allow xserver_t staff_t:file { open read
> > }; allow xserver_t staff_t:lnk_file read;
> >
> > The remaining ones are probably just dangerous and risky (commented
> out), in particular the following two:
> >
> > #============= xdm_t ==============
> > #allow xdm_t xdm_tmp_t:file execute;
> > #allow xdm_t self:capability net_admin; #allow xdm_t
> > user_home_dir_t:dir create; #allow xdm_t user_home_dir_t:file { append
> > create open read setattr write };
> >
> > #============= xserver_t ============== #allow xserver_t staff_t:file
> > { open read }; #allow xserver_t staff_t:lnk_file read;
> >
> > So, after relabeling, I suggest you start implementing supplemental
> policy from the top of the list and stop as soon as you achieve the
> desired (or minimum) level of functionality.
> >
> > I hope it helps.
> >
> > Regards,
> >
> > Guido
> >
> > On the 8th of November 2017 04:04:15 CET, David Sugar via refpolicy
> <[email protected]> wrote:
> > >I'm setting up a CentOS 7.3 (soon to be 7.4) system with refpolicy
> > >and trying to start GDM/Gnome. While in permissive I'm seeing a
> > >bunch of denials related to xdm_t (enforcing the greeter never
> > >starts). I'm happy to go through and fix these things to get stuff
> > >working. I just want to make sure that before I begin adding
> > >additional rules to allow the items I'm seeing that I'm not just
> > >missing something (a boolean set incorrectly or a missing module or
> > >something else?). I was kind of assuming that this would just work
> but maybe that isn't the case.
> > >
> > >Here are the denials I'm seeing. Any thoughts?
> > >
> > >#============= colord_t ============== allow colord_t
> > >systemd_sessions_var_run_t:file { getattr open read }; allow colord_t
> > >xdm_t:dir search; allow colord_t xdm_t:file { getattr open read };
> > >
> > >#============= init_t ==============
> > >allow init_t xdm_t:dbus send_msg;
> > >
> > >#============= initrc_t ============== allow initrc_t xdm_t:dbus
> > >send_msg; allow initrc_t xdm_t:process getsched;
> > >
> > >#============= systemd_locale_t ============== allow systemd_locale_t
> > >xdm_t:dbus send_msg;
> > >
> > >#============= systemd_logind_t ============== allow systemd_logind_t
> > >crond_t:dbus send_msg; allow systemd_logind_t crond_t:dir search;
> > >allow systemd_logind_t crond_t:file { getattr open read }; allow
> > >systemd_logind_t init_t:service stop; allow systemd_logind_t
> > >init_var_run_t:service { start status }; allow systemd_logind_t
> > >tmpfs_t:dir { remove_name write };
> > >
> > >#!!!! The file '/run/user/42' is mislabeled on your system.
> > >#!!!! Fix with $ restorecon -R -v /run/user/42 allow systemd_logind_t
> > >user_runtime_root_t:dir mounton; allow systemd_logind_t
> > >user_tmpfs_t:dir { remove_name rmdir write }; allow systemd_logind_t
> > >user_tmpfs_t:file unlink; allow systemd_logind_t xdm_tmpfs_t:dir {
> > >getattr open read remove_name rmdir write }; allow systemd_logind_t
> > >xdm_tmpfs_t:file unlink; allow systemd_logind_t xdm_tmpfs_t:sock_file
> > >unlink;
> > >
> > >#============= systemd_sessions_t ==============
> > >
> > >#!!!! The file '/run/systemd/journal/socket' is mislabeled on your
> > >system.
> > >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/socket allow
> > >systemd_sessions_t kernel_t:unix_dgram_socket sendto;
> > >
> > >#============= xdm_t ==============
> > >allow xdm_t dbusd_exec_t:file { execute execute_no_trans open read };
> > >allow xdm_t init_t:dbus send_msg; allow xdm_t init_t:system status;
> > >allow xdm_t initrc_t:dbus send_msg;
> > >
> > >#!!!! The file '/run/systemd/journal/stdout' is mislabeled on your
> > >system.
> > >#!!!! Fix with $ restorecon -R -v /run/systemd/journal/stdout allow
> > >xdm_t kernel_t:unix_stream_socket connectto; allow xdm_t
> > >self:capability net_admin; allow xdm_t
> > >self:netlink_kobject_uevent_socket { bind create getattr read setopt
> > >}; allow xdm_t self:netlink_selinux_socket { bind create }; allow
> > >xdm_t self:process setcap; allow xdm_t sound_device_t:chr_file {
> > >ioctl open read write }; allow xdm_t staff_t:key { link search write
> > >}; allow xdm_t sysctl_crypto_t:dir search; allow xdm_t
> > >sysctl_crypto_t:file { getattr open read }; allow xdm_t
> > >sysctl_vm_overcommit_t:file { open read }; allow xdm_t
> > >sysctl_vm_t:dir search; allow xdm_t systemd_locale_t:dbus send_msg;
> > >allow xdm_t systemd_logind_var_run_t:dir read; allow xdm_t
> > >systemd_logind_var_run_t:fifo_file write; allow xdm_t
> > >systemd_machined_var_run_t:dir read; allow xdm_t
> > >systemd_sessions_var_run_t:dir { open read }; allow xdm_t
> > >systemd_sessions_var_run_t:file { getattr open read }; allow xdm_t
> > >udev_var_run_t:file { getattr open read };
> > >
> > >#!!!! This avc can be allowed using the boolean
> > >'allow_polyinstantiation'
> > >allow xdm_t user_home_dir_t:dir create; allow xdm_t
> > >user_home_dir_t:file { append create open read setattr write }; allow
> > >xdm_t wm_exec_t:file { execute execute_no_trans getattr open read };
> > >allow xdm_t xdm_tmp_t:file execute; allow xdm_t xkb_var_lib_t:dir
> > >search; allow xdm_t xkb_var_lib_t:file { getattr open read };
> > >
> > >#============= xserver_t ============== allow xserver_t
> > >self:capability sys_ptrace; allow xserver_t staff_t:file { open read
> > >}; allow xserver_t staff_t:lnk_file read; allow xserver_t xdm_t:file
> > >{ open read }; allow xserver_t xdm_t:lnk_file read;
> > >
> > >
> > >Thanks,
> > >Dave Syugar
> > >dsugar at tresys.com
> > >_______________________________________________
> > >refpolicy mailing list
> > >refpolicy at oss.tresys.com
> > >http://oss.tresys.com/mailman/listinfo/refpolicy
> >
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift